original message!
I have an intra VLAN network which hops subnets and networks. All Cisco,
all working normally.
We presently have a virus on one computer and we are trying to zero in on
its origin on our LAN
QMail will tell us the user name ([EMAIL PROTECTED]) but not the original
true IP address or computer name
Level = debug for both ClamAV and Qmail but the only origin IP we get is
that of the gateway.
I have meticulously examined every possible log in /var/logs/./. and all
ClamAV logs and all qmail scanner logs.
nothing
zip
zero
only gateway IP is available!
Does anyone know where to look for an email true origin or initialize a
higher level of debug?
Brad Sumrall xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
second message
Log info and complete header and footer of message
This is an overview of the information provided by QMail and the
emails.
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Received: from adsl-66-120-105-146.dsl.sndg02.pacbell.net (HELO > entekbuckets.com) (66.120.105.146) > by entekbuckets.com with SMTP; 14 Jun 2005 13:47:46 -0700 > From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Subject: YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS > Date: Tue, 14 Jun 2005 13:47:46 -0700 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0009_099EFC25.1F26CD3D" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0009_099EFC25.1F26CD3D > Content-Type: text/plain; > charset="Windows-1252" > Content-Transfer-Encoding: 7bit > > The original message has been included as an attachment. > > > ------=_NextPart_000_0009_099EFC25.1F26CD3D > Content-Type: application/octet-stream; > name="information.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="information.zip" > > begin blah blah blah blah the body of the message is here > > > ------=_NextPart_000_0009_099EFC25.1F26CD3D-- > > > > *** Qmail-Scanner Quarantine Envelope Details Begin *** > X-Qmail-Scanner-Mail-From: "[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>" via samba.entekbuckets.com > X-Qmail-Scanner-Rcpt-To: "[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>" > X-Qmail-Scanner: 1.25-st-qms (clamdscan: 0.83/921. spamassassin: 3.0.2. > perlscan: 1.25-st-qms. virus Found. Processed in 1.378383 secs) process > 2504 > Quarantine-Description: Worm.Mytob.CL > *** Qmail-Scanner Envelope Details End *** > > *** Qmail-Scanner Envelope Details Begin *** > X-Qmail-Scanner-Mail-From: "[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>" via samba.entekbuckets.com > X-Qmail-Scanner-Rcpt-To: "[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>" > X-Qmail-Scanner: 1.25-st-qms (clamdscan: 0.83/921. spamassassin: 3.0.2. > perlscan: 1.25-st-qms. Clear::RC:0(66.120.105.146):. Processed in > 1.439189 secs) > *** Qmail-Scanner Envelope Details End *** > > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > error log > > > Tue, 14 Jun 2005 16:50:43 PDT:4761: > return-path='[EMAIL PROTECTED]' > <mailto:return-path='[EMAIL PROTECTED]'>, > recips='[EMAIL PROTECTED]' > <mailto:recips='[EMAIL PROTECTED]'> > Tue, 14 Jun 2005 16:50:43 PDT:4761: from='[EMAIL PROTECTED]' > <mailto:from='[EMAIL PROTECTED]'>, subj='WVJXAIWEBPJMOTU', via > SMTP from 66.120.105.146 > Tue, 14 Jun 2005 16:50:43 PDT:4761: clamdscan: there be a virus! > (Worm.Mytob.CL) > Tue, 14 Jun 2005 16:50:43 PDT:4761: clamdscan: finished scan in 0.23359 secs > Tue, 14 Jun 2005 16:50:43 PDT:4761: ini_sc: finished scan of > "/var/spool/qmailscan/tmp/samba.entekbuckets.com11187930417754761"... > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Reply
to this post
OK, I'm not a super-guru, but are you *certain* that someone on the inside is sending these from their computer from the inside of your LAN? Forward this to the list, so we can get some other eyeballs on it. And are these the complete headers? xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Reply
to reply
Yes this is the complete header and footer for the emails in
question.
The Viruses are coming from one computer that has multiple login screen
names on out domain.
They are coming from our LAN "DEFINATELY", no outside access to email is
available.
The screen name sending them are
Our previous tech (already cleaned his "known" workstation which had the
virus on it)
only problem is this guy would work from 20 different computers on
those screen names which he created everywhere.
We just can't find this last one!
The originating IP address would look like one of these two;
192.168.1.
255.255.255.224
or
192.168.2.
255.255.255.224
There is no other possible location or network because he was only
physically at these network locations.
QMail server resides at:
192.168.0.
255.255.255.0
Note:
Each network ID is a different VLAN site
site 1 192.168.0. 255.255.255.0
site
2 192.168.1. 255.255.255.224
site
3 192.168.2. 255.255.255.224
Brad Sumrall
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Update!
I just sent an email from entekbuckets.com to another account. There in the
header is the "TRUE" originating IP address.
This information is not available once the qmail scanner gets a hold of
it.
It would appear that there may be a bug here. The scanner is stripping away
critical information with out anyway of retrieving it???????
Suggestions anyone?
Here is the AOL received message from Entekbucket.com
To answer earlier questions about the possibility of the virus spoofing an
IP address
1 The network is a LAN network only using NAT
translation for SMTP traffic.
2 This server is a QMail Rocks installation
excepting only traffic from the entekbuckets.com domain. Basically a QMail Rocks
default installation with a few modifications to ensure it does not relay.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Message
from entek to AOL
Return-Path: <[EMAIL PROTECTED]>
Received: from rly-ya06.mx.aol.com (rly-ya06.mail.aol.com [172.18.141.88]) by air-ya04.mail.aol.com (v106.2) with ESMTP id MAILINYA44-77342afa7c98e; Wed, 15 Jun 2005 00:00:21 -0400 Received: from entekbuckets.com (dsl001-138-002.snd1.dsl.speakeasy.net [72.1.138.2]) by rly-ya06.mx.aol.com (v106.2) with ESMTP id MAILRELAYINYA69-77342afa7c98e; Wed, 15 Jun 2005 00:00:09 -0400 Received: (qmail 7768 invoked by uid 509); 14 Jun 2005 21:00:08 -0700 Received: from 192.168.0.45 by samba.entekbuckets.com (envelope-from <[EMAIL PROTECTED]>, uid 508) with qmail-scanner-1.25-st-qms (clamdscan: 0.83/921. spamassassin: 3.0.2. perlscan: 1.25-st-qms. Clear:RC:0(192.168.0.45):SA:0(-2.4/5.0):. <-------------------------------------True IP in header Processed in 0.185756 secs); 15 Jun 2005 04:00:08 -0000 X-Spam-Status: No, hits=-2.4 required=5.0 Received: from unknown (HELO avnhome1) ([EMAIL PROTECTED]@192.168.0.45) by entekbuckets.com with SMTP; 14 Jun 2005 21:00:08 -0700 From: "brad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: header test Date: Tue, 14 Jun 2005 21:00:11 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_017E_01C57124.0DE96C90" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcVxXrofFjvYecFVRHKELfV8bQxs8w== X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]> X-AOL-IP: 72.1.138.2 X-AOL-SCOLL-SCORE: 0:2:270481950:11327976 X-AOL-SCOLL-URL_COUNT: 0 Message-ID: <[EMAIL PROTECTED]> Take notice from the earlier posting and above information. Crital
information appears to be missing once QMail scanner grabs hold of it.
Brad Sumrall |
- [vchkpw] Update: QMail email "true" origin IP (track... BSUMRALLL